hoppscotch
Moderate fix1 remedy
cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 2025.7.0, < 2026.4.0
Hoppscotch Unauthenticated Onboarding Config Disclosure Vulnerability
Vulnerability
Patched
A vulnerability in Hoppscotch's self-hosted backend versions 2025.7.0 prior to 2026.4.0 allows unauthenticated users to access all infrastructure secrets in plaintext through the GET /v1/onboarding/config endpoint. This issue arises when the ONBOARDING_RECOVERY_TOKEN in the database is empty, enabling a bypass of token validation and exposing sensitive configuration details such as OAuth client IDs and secrets, SMTP credentials, and other private data.
Impact
This vulnerability leads to the unauthorized disclosure of sensitive infrastructure secrets, including OAuth client IDs and secrets (for Google, GitHub, and Microsoft), SMTP credentials, Microsoft tenant IDs, callback URLs, and all other InfraConfig values.
Reproduction
The vulnerability can be reproduced by sending a GET request to the /v1/onboarding/config endpoint without a token or with an incorrect token. If the ONBOARDING_RECOVERY_TOKEN is empty, the request will return all stored configuration secrets in plaintext.
Remediation
Users can update to Hoppscotch version 2026.4.0 or later to address this vulnerability.
Added: May 13, 2026, 10:19 PM
Updated: May 13, 2026, 10:19 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
2.5exploitability
6.0remediation
7.7relevance
8.2threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.